In February 2022, Asite became one of the only software platforms for the built environment to achieve the prestigious accreditation issued by the UK’s Cyber Defence and Risk (CyDR) Team.
This top security accreditation enables Ministry of Defence (MoD) information to be stored and processed through the cloud-based Asite Platform.
This new accreditation demonstrates the Asite Platform’s cyber security maturity as an organization and its commitment to protecting its customers’ data.
To learn more about what it means for Asite and its clients, Chris Cannings, Chief Information Security Officer at Asite, answered four questions about the prestigious accreditation:
Q: What is the UK Ministry of Defence CyDR accreditation?
A: It’s issued by the Defence Infrastructure Organisation (DIO), which is part of the UK Ministry of Defence.
Put simply, this accreditation means that the Asite Platform has undergone security risk assessment by the DIO, and they’re comfortable that it meets their robust requirements. Without this accreditation, IT systems and services can’t be used to store or process MoD information.
Being CyDR accredited isn’t a 'one shot' assessment. Asite has obligations to continuously demonstrate their capability in terms of meeting MoD requirements. This includes things like regular IT Health Checks, Security Working Groups, and ongoing security testing and assurance.
It’s worth pointing out, sometimes people use the term CyDR and DART interchangeably, but while the two are related, they are different things:
- CyDR is the sponsor of the accreditation process for MoD
- DART stands for 'Defence Assurance Risk Tool,' this is the tool/methodology used to track and manage information as it relates to CyDR accreditation. Accredited IT systems and services are registered through DART
Q: What are the drivers behind CyDR?
A: Like many accreditations, CyDR accreditation was created to help manage the risk around ITC (Information and Communications Technology) systems used by MoD. Standardizing this approach helps MoD in the consistent management of risk and being able to measure risk in a 'like for like' approach.
This helps avoid confusion for people within MoD wishing to use ITC—they can easily make sure they’re using systems that are appropriately secured. A consistent approach simplifies and reduces the chances for mistakes and supports transparency.
Q: What did Asite have to do to achieve this accreditation?
A: Historically, Asite has always invested heavily in information security, and already holds ISO 27001 security certification—this means Asite maintains and operates its Information Security Management System (ISMS) to a high standard.
Asite was also previously approved for use by another government agency—so given Asite was already mature in the world of information security, this made it straight forward for Asite to demonstrate it met the requirements set out by CyDR/MoD.
The challenge really was completing the paperwork and making sure everything was articulated in an appropriate format for MoD—they’re (thankfully) rigorous in their assessment.
End to end, it took about six months—as I’d just said, they’re rigorous in their assessment, so the bulk of the time was in the preparation of documentation and evidence in the appropriate format, as well as walking through various (very detailed!) assessments.
As I said earlier, this isn’t a one-time thing. Accreditation expires after 36 months; but we have lots of obligations around continually being able to demonstrate compliance, as well as undergoing regular independent assurance.
While trying to remain modest, I think they were impressed. When they came in, they found that we had all our evidence ready, we knew what we’re doing, and we were professional in how we were doing it—having already obtained ISO 27001 certification we already had our controls defined, operating, and demonstrable. Having historically invested heavily in security, we were very comfortable demonstrating our capability.
Q: What does it mean for Asite and its users?
A: Having this accreditation means that:
a) MoD can feel assured that Asite, and the Asite Platform is a safe and trustworthy partner and service provider. MoD data and projects can be handled safely by the Asite Platform.
b) For all our clients, it means they should also feel safe and assured in the same way—worth pointing out that CyDR accreditation wasn’t for some special 'MoD' part of the platform; the whole thing is assured—there’s nothing special about the MoD controls, they’re applied in the same way for all clients. This is further assurance to all clients that the Asite Platform is a safe and secure place to collaborate and manage their projects. As I’ve said previously, this wasn’t a special 'MoD Enclave' of security; this accreditation applies to the entire platform—all our customers are protected by the same level of controls.
Adding to Asite’s Existing Security Strength
The CyDR accreditation highlights Asite’s longstanding commitment to ensuring unparalleled security and reliability to its clients. This is the latest installment in a strong history of high-quality security measures across the Asite Platform.
These measures include robust disaster recovery, ISO 27001 certification, and Cyber Essentials, alongside Asite’s regional data centers—across the UK, Europe, North America, Middle East, and Australia-Pacific regions—to ensure data sovereignty.
As Asite continues to grow and develop its capabilities, the security of our users will remain at the forefront. All customers can expect their data to be handled and processed with a high level of protection, regardless of the quantity or sensitivity level.
Want to discover more about how your business can benefit from using one of the construction industry’s most secure cloud platforms for building and maintaining assets? Learn more here.
3 minute read
Asite Insights in your inbox.
Sign up for product news and our latest insights published monthly. It's a newsletter so hot, even global warming can't keep up.